Codes and Ciphers
Codes and Ciphers - Julius Caesar, the ENIGMA, and the Internet
excerpt | The orders arrive encrypted into groups of five random-looking letters, printed out on the blue tissue paper that is used for top-secret cablegrams. The message has been encrypted in Washington using a one-time pad, which is a slow and awkward but, in theory, perfectly unbreakable cipher used for the most important messages. Waterhouse knows this because he is one of the only two persons in Pearl Harbor who has clearance to decrypt it. The other one is Commander Schoen, and he is under sedation today. The duty officer opens up the appropriate safe and gives him the one-time pad for the day, which is basically a piece of graph paper covered with numbers printed in groups of five. The numbers have been chosen by secretaries in a basement in Washington by shuffling cards or drawing chits out of a hat. They are pure noise. One copy of the pure noise is in Waterhouse's hands, and the other copy is used by the person who encrypted this message in Washington.
If a single encrypted knock is intercepted it's highly unlikely that it can be decrypted. However, if multiple knocks are intercepted it is possible that the eavesdropper can correctly guess content which is present in the knocks (such as the IP address). Having multiple encrypted knocks and the knowledge that the decrypted knocks are similar can increase the chances of the decryption being broken.
As an aside, if you're interested in a fun fiction story about cryptoanalysis try Cryptonomicon by Neal Stephenson. A very accessible book, containing some mathematical background, which introduces cryptography is Codes and Ciphers : Julius Caesar, the ENIGMA, and the Internet by Robert Churchhouse.
Ok, back to serious matters. Francisco (www.blackant.net) brought up the point of including random data in the knock sequence and a non-contiguous listening port range to try to spoof eavesdroppers. I think this idea has merit. For example, If the daemon was originally listening for knocks on ports 500-755, remap this range to, something like 450-469,480-499,510-529,... Ports 470-479,500-509,... are not monitored by the daemon. If the client knows the port range which is not monitored by the daemon, the encrypted knock sequence can be tained with any number of random port values in this range.
For example, the port knock sequence 455,485,515 is equivalent to 455,470,485,500,515,530 because the daemon only sees connections to the bold ports. Any method that tries to make the knock sequence more complicated by heuristics is likely to have less success than selecting a cryptographically strong cipher.